Due to increasing reliance on network-accessible computers, network security has become a major issue for organizations and individuals. To help ensure the security of their computers, organizations and individuals frequently install security devices between public networks and their private networks. A goal of such security devices is to prevent unwanted or malicious information from the public network from affecting devices in the private network.
These security devices are commonly referred to as firewall device. Typically, the firewall is a dedicated device that is configured to permit or deny traffic flows based on an organization's security policies. The firewall may provide additional services, such as anti-virus (AV) scanning and detection, intrusion detection protection (IDP) and/or any other security services. The firewall device typically intercepts packets entering and leaving the private network and determines whether to permit or deny the packet based on information included within each packet that may define a state of a flow associated with the packet.
Usually the firewall performs this flow-based forwarding by caching or otherwise storing, for a given session, the flow state of all the packets that belong to the same flow. The first packet of a flow establishes a session, which the firewall notes by storing the new session. The firewall may inspect new sessions by performing anti-virus or other intrusion detection actions. The firewall however need not inspect subsequent packets that correspond to the same flow as closely as the first packet, as the firewall may determine, from the inspection of the first packet, that the flow does not constitute much of a threat. As a result, the firewall may comprise two paths, a first path for inspecting a first packet of a newly established flow and a second path for inspecting subsequent packets associated with a pre-existing flow. The first path may be referred to as the “first path” and the second path may be referred to as the “fast path” because the second path normally does not take as long to traverse as the first path due to the lack of detailed inspection.
In general, it is often desirable to partition and allocate the resources of the firewall so as to achieve different Quality of Service (QoS) for different types of packet flows. This is often problematic in that the handling of new packet flows and establishing new sessions often consumes a non-deterministic amount of the resources of the firewall, while handling packets associated with pre-established packet flows usually consumes a known or deterministic amount of the resources of the firewall.